Solved

Win32/Exploit.MSWord.Smtag trojan

Posted on 2008-06-25
4
1,441 Views
Last Modified: 2013-11-22
A large MS Word (Office 2003, SP 3) document that I work on regularly appears to have been infected with a trojan this morning.  I'm running ESET / NOD32 (v3217 (20080625)).  This was the NOD32 warning:

Time      Module      Object      Name      Threat      Action      User      Information
6/25/2008 9:48:59 AM      AMON      file      <full path> a variant of Win32/Exploit.MSWord.Smtag trojan <machine name>\jdana      Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

NOD32 was unable to clean the file.  The error message simply reads, "Unable to clean."

Here's the interesting twist: The file was reported infected after the 3217 update.  The 3218 update arrived minutes ago, and suddenly NOD32 reports the file is clean.  Was I looking at a "false positive" from NOD32?   Is there an online tool I can use to verify the file is, in fact, clean?
0
Comment
Question by:jdana
4 Comments
 
LVL 20

Accepted Solution

by:
IndiGenus earned 168 total points
ID: 21867554
Yes sounds like it was a false positive. To make sure you could upload the file to one of the online scanners. It will be scanned by almost every engine out there....

Go to http://virusscan.jotti.org, click on Browse, and upload the file for analysis:

If Jotti is too busy you can try these.

http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html
0
 

Assisted Solution

by:vbuckjr
vbuckjr earned 166 total points
ID: 21868126
This is a false positive they had a bad signature file go out in 3217 have corrected it with the 3218 update, you can follow this link to a discussion of this problem.

http://www.wilderssecurity.com/showthread.php?p=1268309



0
 

Assisted Solution

by:Bene007
Bene007 earned 166 total points
ID: 21875092
The proposal is quite correct.
I installed on the 25 of june, the version 3218 (now it is still 3221!) and i get no more false positive !
But, I have to tell you that the 25 opf june the option scan and clean 've deleted some old Word Files !
The option in the action tab doesn't explain that.
Benedicte
0
 

Author Closing Comment

by:jdana
ID: 31470655
Sure enough, the "shadow" trojan vanished with the update.  Thanks for the assistance.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now